http://www.zone-h.org/en/news/read/id=2986/ SyS64738 - G00db0y 07/02/2003 Zone-H.org statement about the announced "defacement challenge" We at Zone-H have been informed about the oncoming "defacement challenge", a defacer contest that should happen July 6th in which defacers are challenged to deface as many as 6.000 in the shortest time as possible. It is quite clear, judging by the sharp decrease of the defacement notifications occoured during the last days, that the crackers aren't at the beach but they are rather rooting possible targets without defacing them, so to be ready with a lot of ready-to-be-defaced targets to be used on the contest day. Many news have been written about this contest, many of them they were reporting serious alerts about possible Internet service disruption. Those who wrote or reported such alert are obviously not aware about how a defacement is usually done. Those who have a "trained eye" like Zone-H, when analizing the text reported on the defacement-challenge website (www.defacers-challenge.com) understood immediately that being the "rules" stating that there will not be any difference when counting a single defacement (single IP) or a mass-defacement (many domain names on the same IP) and the given time frame will be only six hours, what is mostly going to happen is that a lot of web hosting companies will be hit, instead than single servers belonging to different companies. Due to this, we don't forecast any possible disruption in the Internet service as very little traffic will be generated. In fact, a mass-defacement (even of several thousands domain names) is usually conducted opening a SINGLE connection to the attacked server. Once obtained either root/admin priviledges or webserver priviledges, a special defacement tool (maybe a perl script) is usually uploaded. This tool reads from the webserver configuration files like httpd.conf and automatically substitutes all the main pages (index.html etc) of the hosted websites with the defaced one, doing the job of defacing thousands of websites in a matter of seconds. Judging by the "rumors", we at Zone-H are forecasting an amount of attacks starting from anywhere around 20.000 and up. As usual, Zone-H wants to render a service to the community so here is our advices for the sysadmins: Defacers are usually looking for easy targets, mass defacers in a hurry (as they'll be on July 6th) are looking for even easier targets. All the webserver administrators must : - download and apply all the possible official patches released by the software producers - shut down all the unnecessary modules - close all the unnecessary ports - download one of the many vulnerability scanners and run a security check on their own system Administrators managing their own private server shouldn't be concerned more than usual, while administrators who are managing servers of web-hosting companies should be VERY MUCH concerned. It is unlikely that any server will be hacked July 6th. Most of the servers that will be attacked that day are most likely conquered by crackers a few days before the contest. Due to this, the fact that you downloaded and installed the patches and shut down the unnecessary services is not enough. In fact it is very possible that a backdoor/rootkit has been installed by the attacker to prevent sysadmins to ban future access to their servers because of patching. Considering this, we advice all the sysadmins to : - check for any freshly added user in the userlist (shadow file, sam file etc.) - check for any suspicious connection on the open ports. - run a trojan/backdoor checking program. - look for any suspicious shell program We also want to remind that the most recently exploited vulnerabilities used by defacers are in the following packages/services: - Openssl - Samba - Webdav - Frontpage extension misconfiguration - Aix ftpd - Solaris telnetd - Sendmail - Wuftpd - Proftpd - Phpnuke (not for massdefacement but still a ever present one) - OmniBack II - Cpanel We invite all the IT security online magazine to report this article so to better inform sysadmins about possible countermeasures. SyS64738 - G00db0y www.zone-h.org admins - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Jul 03 2003 - 03:40:23 PDT